note-automation

This SKILL.md describes an orchestration that coordinates local scripts to post Markdown content to note.com and then set tags/publish. The documented capabilities are coherent with the stated purpose: asking the user for inputs, invoking note-draft to save a draft, extracting the article key from the draft output, and calling note-publish to set tags and publish. There are no explicit malicious patterns in this document (no remote download-and-execute, no suspicious third-party endpoints, no embedded secrets). The main risks are indirect: the orchestration depends on external scripts (publish.mjs, note-publish.mjs) and installed npm/Playwright dependencies whose code is not shown; those components could contain supply-chain or credential-exfiltration issues. Also, the use of .env and automation credentials is necessary but increases the attack surface if those credentials or scripts are compromised. Overall this orchestration file itself appears benign and purpose-aligned, but reviewers should inspect the referenced scripts and installed dependencies for credential handling, network endpoints, and any download-execute behavior before trusting automation that publishes content or uses account credentials.